Angular-auth-oidc-client: Token audience problem

Created on 15 Feb 2019 · 4Comments · Source: damienbod/angular-auth-oidc-client

I'm getting the following error from my Asp.Net Core 2.2 Api project:

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

[18:04:24 Information] IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

Examining the jwt returned by my Asp.Net Core 2.2 STS project with IdentityServer 4 components at versions:

shows an aud of "angularclient" (not https://localhost:44340/resources)

Any suggestions?

Source

toddtsic

Most helpful comment

Got it, hope this helps others:

The angular client after logging in is returned:

id token:

{
  "nbf": 1550240640,
  "exp": 1550273640,
  "iss": "https://localhost:44340",
  "aud": "https://localhost:44340/resources",
  "client_id": "angularclient",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "regid": "xxxx",
  "jseg": "xxxxx",
  "jobid": "b0984a87-172a-436e-a382-e95de3e1059f",
  "role": "xxxx",
  "given_name": "xxxxx",
  "family_name": "xxxx",
  "email": "xxxx",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "amr": [
    "pwd"
  ]
}

and access token:

{
  "nbf": 1550240640,
  "exp": 1550243640,
  "iss": "https://localhost:44340",
  "aud": "angularclient",
  "nonce": "N0.55036966062308791550240634889",
  "iat": 1550240640,
  "at_hash": "yNVxDVHkmEmUvurl7XlzuA",
  "sid": "f54dee03793e7cc202b57f1d6de7622e",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "preferred_username": "TSICSuperUser",
  "name": "xxxx",
  "email": "xxxxx",
  "email_verified": true,
  "regid": "xxxxx",
  "jseg": "xxxxx",
  "jobid": "xxxxxxf",
  "role": "xxxxx",
  "given_name": "xxxx",
  "family_name": "xxxxx",
  "amr": [
    "pwd"
  ]
}

NOTE THE DIFFERENT AUDIENCES (aud:)

The Asp.Net Core 2.2 Api Project startup.cs configured IdentityServer4:
``` services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = Configuration.GetValue("IdentityServer4Strings:Authority");
options.RequireHttpsMetadata = Configuration.GetValue("IdentityServer4Strings:RequireHttpsMetadata");
options.ApiName = "api1";

                options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                options.EnableCaching = true;
                options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
            });

and the Bearer authentication error was:

2019-02-14 18:03:15.188 -07:00 [DBG] AuthenticationScheme: Bearer was not authenticated.
2019-02-14 18:04:04.360 -07:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2019-02-14 18:04:04.430 -07:00 [INF] BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
2019-02-14 18:04:04.433 -07:00 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

The "api1" in error: 
`Did not match: validationParameters.ValidAudience: 'api1'`

references startup.cs

.AddIdentityServerAuthentication
options.ApiName = "api1";

Changing the Asp.Net Core 2.2 Api project startup.cs to:

        // critical for bearer authentication, the audience of the id token (set by Options.ApiName) is equal to this value
        var idTokenAudience = $"{Configuration.GetValue<string>("IdentityServer4Strings:Authority")}/resources";

        services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = Configuration.GetValue<string>("IdentityServer4Strings:Authority");
                options.RequireHttpsMetadata = Configuration.GetValue<bool>("IdentityServer4Strings:RequireHttpsMetadata");
                options.ApiName = idTokenAudience;

                options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                options.EnableCaching = true;
                options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
            });

resolved the issue.

2019-02-15 07:45:12.414 -07:00 [INF] Successfully validated the token.
2019-02-15 07:45:12.414 -07:00 [DBG] AuthenticationScheme: Bearer was successfully authenticated.

```

toddtsic on 15 Feb 2019

👍2 🎉1

All 4 comments